Understanding IDS for Linux

Pedro discusses the different types of intrusion detection systems and shows how to create signatures to identify attacks.

Tripwire

Tripwire is an example of an HBIDS for Linux [see Michael
Rash's Paranoid Penguin, LJ February 2002 for
an open-source alternative to Tripwire]. It can be identified as an
HBIDS because it fills in for the lack of file-integrity detection
tools. With Tripwire, the user can define, in a configuration file,
a set of files that he or she wishes to protect against changes,
and then Tripwire uses a checksum of these files and attributes. In
the case of any changes, it can send alerts to the system
administrator. The default configuration file provides a good
starting point, but the user also must customize it to reduce the
chance of false positives. Pay special attention to the log files.
It doesn't make sense to include the log files into the set of
files that you select to be checked, since you know that they will
grow as soon as any event happens, such as a login.

Tripwire can be used together with the cron scheduler
dæmon. In this mode, users can automatize the process and
define wherever they want to run it.

PortSentry

PortSentry [see also “PortSentry” by Anthony Cinelli on the
LJ web site,
/article/4751]
is part of the Abacus Project, from Psionic Software, whose goal is
to “produce a suite of tools to provide host-based security and
intrusion detection free to the internet community”. It is an
important kind of HBIDS because it detects packets addressed to the
host and can be used with TCP Wrappers and iptables. This type of
detection is useful because a port scan is often a precursor to an
attack. PortSentry can detect TCP and UDP port scans, making you
aware of other hosts that run a service in the scanned port. The
next step is to verify for new patches or updates, or even
configure it to create ACLs (access control lists) to block future
connections from the host scanner, using TCP Wrappers. It also can
create rules in the firewall, i.e., iptables, to drop everything
from the host scanner. The following is an example of PortSentry
alerts from Syslog:

Swatch is a log watcher that observes the logs and alerts the
security administrator about predefined strings found in the log
file, i.e., /var/log/messages. In the example below, I created a
very simple Swatch configuration file and chose to define the
strings “snort” and “portsentry” and send the alert to screen
in different colors (and with a beep) every time that it finds
these strings:

watchfor /snort/
echo red
bell
watchfor /portsentry/
echo blue
bell

I also could ask Swatch to send an e-mail or execute a
command when it finds something. As the result of the previous
Swatch config file, I received these alerts:

LIDS stands for Linux intrusion detection system. It is a
project that tries to give Linux some extra security features
deployed as kernel patches. In these features we can include file
and process protection and port-scan detection. The first two
deserve a little more explanation. File and process protection will
guard even against root superuser changes. This is very useful
because when a cracker exploits a bug in your system, such as a
buffer overflow, that person will have root access that permits him
or her to do almost anything, such as install rootkits, change
logs, erase your HTML pages, etc. With these features you can
define ACLs to control files and include passwords to access/change
them, avoiding changes from unauthorized users, even root. The same
is valid for process because it will protect your system from
altered binaries/dæmons. Another good feature is that it
offers a port-scan detector in kernel space.

NIDS

Network intrusion detection systems are the kind of IDSes
responsible for detecting attacks related to the network. One point
of discordance is where it should be deployed. You may encounter
network topology where it is before a firewall, and you may find it
after a firewall. As I said before, there are good arguments for
both; it depends on your needs. In these examples I will use the
open-source Snort.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.